This topic describes the fields of Security Center logs.
Real-time logs
Field name | Description | Example |
dir | The direction of the network connection. Valid values:
| in |
src_ip | The source IP address.
| 10.240.XX.XX |
src_port | The source port. | 24680 |
dst_ip | The destination IP address.
| 10.240.XX.XX |
dst_port | The destination port. | 22 |
status | The status of the network connection. Note In real-time logs, the value of this field is random. You can ignore this field. | 2 |
type | The type of the real-time network connection. Valid values:
| listen |
Snapshot logs (asset fingerprints)
Field name | Description | Example |
proc_path | The path of the process. | "/usr/sbin/sshd" |
proc_cmdline | The command line of the process. | "/usr/sbin/sshd -D" |
pid | The ID of the process. | 1158 |
ppid | The ID of the parent process. | 1 |
dir | The direction of the network connection. Valid values:
| in |
src_ip | The source IP address.
| 10.240.XX.XX |
src_port | The source port. | 24680 |
dst_ip | The destination IP address.
| 10.240.XX.XX |
dst_port | The destination port. | 22 |
status | The status of the network connection. Valid values:
| 2 |
Network logs
Domain Name System (DNS) logs
Field name | Description | Example |
additional | The additional field. Multiple additional fields are separated by vertical bars (|). | None |
additional_num | The number of additional fields. | 0 |
answer | The DNS answer. Multiple DNS answers are separated by vertical bars (|). | example.com A IN 52 1.2.XX.XX |
answer_num | The number of DNS answers. | 1 |
authority | The authority field. | NS IN 17597 |
authority_num | The number of authority fields. | 1 |
client_subnet | The subnet of the client. | 172.168.XX.XX |
dst_ip | The destination IP address. | 1.2.XX.XX |
dst_port | The destination port. | 53 |
in_out | The direction of data transmission. Valid values:
| out |
qid | The ID of the query. | 12345 |
qname | The domain name that is queried. | example.com |
qtype | The type of the query. | A |
query_datetime | The timestamp of the query. Unit: milliseconds. | 1537840756263 |
rcode | The code returned. | 0 |
region | The ID of the source region. Valid values:
| 1 |
response_datetime | The response time. | 2018-09-25 09:59:16 |
src_ip | The source IP address. | 1.2.XX.XX |
src_port | The source port. | 22 |
Internal DNS logs
Field name | Description | Example |
answer_rda | The DNS answer. Multiple DNS answers are separated by vertical bars (|). | example.com |
answer_ttl | The time to live (TTL) of the DNS answer. Multiple TTLs are separated by vertical bars (|). | 100 |
answer_type | The type of the DNS answer. Multiple types are separated by vertical bars (|). | 1 |
anwser_name | The name of the DNS answer. Multiple names are separated by vertical bars (|). | example.com |
dest_ip | The destination IP address. | 1.2.XX.XX |
dest_port | The destination port. | 53 |
group_id | The ID of the group. | 3 |
hostname | The name of the host. | hostname |
id | The ID of the query. | 64588 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address. | 1.2.XX.XX |
ip_ttl | The TTL of the IP address. | 64 |
query_name | The domain name that is queried. | example.com |
query_type | The type of the query. Valid values:
| 1 |
src_ip | The source IP address. | 1.2.XX.XX |
src_port | The source port. | 1234 |
time | The timestamp of the query. Unit: seconds. | 1537840756 |
time_usecond | The response duration. Unit: microseconds. | 49069 |
tunnel_id | The ID of the tunnel. | 514763 |
Network session logs
Field name | Description | Example |
asset_type | The type of the asset from which the log is collected. Valid values:
| ECS |
dst_ip | The destination IP address. | 1.2.XX.XX |
dst_port | The destination port. | 53 |
proto | The protocol type. Valid values:
| tcp |
session_time | The time when the session starts. | 2018-09-25 09:59:49 |
src_ip | The source IP address. | 1.2.XX.XX |
src_port | The source port. | 54 |
Web access logs
Field name | Description | Example |
content_length | The length of the message body. Unit: bytes. | 123 |
dst_ip | The destination IP address. | 1.2.XX.XX |
dst_port | The destination port. | 54 |
host | The host that implements the access. | 47.XX.XX.158:8080 |
jump_location | The redirection address. | 123 |
method | The HTTP request method. | GET |
referer | The HTTP referer field. The field contains the URL of the web page that is linked to the resource being requested. | www.example.com |
request_datetime | The time when the request is initiated. | 2018-09-25 09:58:37 |
ret_code | The HTTP status code returned. | 200 |
rqs_content_type | The type of the request content. | text/plain;charset=utf-8 |
rsp_content_type | The type of the response content. | text/plain; charset=utf-8 |
src_ip | The source IP address. | 1.2.XX.XX |
src_port | The source port. | 54 |
uri | The request URI. | /report |
user_agent | The user agent that initiates the request. | okhttp/3.2.0 |
x_forward_for | The routing information. | 1.2.XX.XX |
Security logs
Vulnerability logs
Field name | Description | Example |
name | The name of the vulnerability. | oval:com.redhat.rhsa:def:20182390 |
alias_name | The alias of the vulnerability. | RHSA-2018:2390: kernel security and bug fix update |
op | The operation on the vulnerability. Valid values:
| new |
status | The status of the vulnerability. | 1 |
tag | The tag that is added to the vulnerability. Valid values:
| oval |
type | The type of the vulnerability. Valid values:
| sys |
uuid | The UUID of the server. | 1234-b7ca-4a0a-9267-12**** |
Baseline logs
Field name | Description | Example |
level | The severity of the risk item. Valid values:
| low |
op | The operation. Valid values:
| new |
risk_name | The name of the risk item. | Password compliance check |
status | The information about the status. For more information, see Status codes of security logs. | 1 |
sub_type_alias | The alias of the sub type in Chinese. | System account security |
sub_type_name | The name of the sub type. | system_account_security |
type_name | The name of the check type. | account |
type_alias | The alias of the check type in Chinese. | cis |
uuid | The UUID of the server on which the risk item is detected. | 12345-b7ca-4a0a-9267-123456 |
Baseline types and sub types
Type | Sub type | Description |
hc_exploit | hc_exploit_redis | High risk exploit-Redis unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_activemq | High risk exploit-ActiveMQ unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_couchdb | High risk exploit - CouchDB unauthorized access high exploit risk |
hc_exploit | hc_exploit_docker | High risk exploit - Docker unauthorized access high vulnerability risk |
hc_exploit | hc_exploit_es | High risk exploit - Elasticsearch unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_hadoop | High risk exploit - Hadoop unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_jboss | High risk exploit - Jboss unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_jenkins | High risk exploit - Jenkins unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_k8s_api | High risk exploit - Kubernetes Apiserver unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_ldap | High risk exploit - LDAP unauthorized access high exploit vulnerability risk (Windows) |
hc_exploit | hc_exploit_ldap_linux | High risk exploit-OpenLDAP unauthorized access vulnerability baseline (Linux) |
hc_exploit | hc_exploit_memcache | High risk exploit - Memcached unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_mongo | High risk exploit - Mongodb unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_pgsql | High risk exploit-Postgresql unauthorized access to high-risk risk baseline |
hc_exploit | hc_exploit_rabbitmq | High risk exploit-RabbitMQ unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_rsync | High risk exploit - rsync unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_tomcat | High risk exploit - Apache Tomcat AJP File Read/Inclusion Vulnerability |
hc_exploit | hc_exploit_zookeeper | High risk exploit - ZooKeeper unauthorized access high exploit vulnerability risk |
hc_container | hc_docker | Alibaba Cloud Standard -DockerSecurity Baseline Check |
hc_container | hc_middleware_ack_master | CIS standard-Kubernetes(ACK) Master node security inspection inspection |
hc_container | hc_middleware_ack_node | CIS standard-Kubernetes(ACK) node security inspection |
hc_container | hc_middleware_k8s | Alibaba Cloud Standard-Kubernetes-Master security baseline check |
hc_container | hc_middleware_k8s_node | Alibaba Cloud Standard-Kubernetes-Node security baseline check |
cis | hc_suse 15_djbh | SUSE Linux 15 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_aliyun_linux3_djbh_l3 | Alibaba Cloud Linux 3 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_aliyun_linux_djbh_l3 | Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_bind_djbh | China's Level 3 Protection of Cybersecurity - Bind Compliance Baseline Check |
cis | hc_centos 6_djbh_l3 | CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_centos 7_djbh_l3 | CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_centos 8_djbh_l3 | CentOS Linux 8 Baseline for China classified protection of cybersecurity - Level III |
cis | hc_debian_djbh_l3 | Debian Linux 8/9/10 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_iis_djbh | IIS Baseline for China classified protection of cybersecurity-Level III |
cis | hc_informix_djbh | China's Level 3 Protection of Cybersecurity - Informix Compliance Baseline Check |
cis | hc_jboss_djbh | Jboss6/7 Compliance Baseline Check |
cis | hc_mongo_djbh | MongoDB Baseline for China classified protection of cybersecurity-Level III |
cis | hc_mssql_djbh | China's Level 3 Protection of Cybersecurity -SQL Server Compliance Baseline Check |
cis | hc_mysql_djbh | Equal Guarantee Level 3-MySql Compliance Baseline Check |
cis | hc_nginx_djbh | Equal Guarantee Level 3-Nginx Compliance Baseline Check |
cis | hc_oracle_djbh | China's Level 3 Protection of Cybersecurity - Oracle Compliance Baseline Check |
cis | hc_pgsql_djbh | Level 3-PostgreSql compliance baseline check |
cis | hc_redhat 6_djbh_l3 | China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 6 Compliance Baseline Check |
cis | hc_redhat_djbh_l3 | China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 7 Compliance Baseline Check |
cis | hc_redis_djbh | Redis Baseline for China classified protection of cybersecurity-Level III |
cis | hc_suse 10_djbh_l3 | SUSE Linux 10 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_suse 12_djbh_l3 | SUSE Linux 12 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_suse_djbh_l3 | SUSE Linux 11 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_ubuntu 14_djbh_l3 | Ubuntu 14 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_ubuntu_djbh_l3 | Waiting for Level 3-Ubuntu 16/18/20 compliance regulations inspection |
cis | hc_was_djbh | China's Level 3 Protection of Cybersecurity - Websphere Application Server Compliance Baseline Check |
cis | hc_weblogic_djbh | Weblogic Baseline for China classified protection of cybersecurity-Level III |
cis | hc_win 2008_djbh_l3 | China's Level 3 Protection of Cybersecurity - Windows Server 2008 R2 Compliance Baseline Check |
cis | hc_win 2012_djbh_l3 | Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_win 2016_djbh_l3 | Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level III |
cis | hc_aliyun_linux_djbh_l2 | Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_centos 6_djbh_l2 | CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_centos 7_djbh_l2 | CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_debian_djbh_l2 | Debian Linux 8 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_redhat 7_djbh_l2 | Redhat Linux 7 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_ubuntu_djbh_l2 | Linux Ubuntu 16/18 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_win 2008_djbh_l2 | Windows 2008 R2 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_win 2012_djbh_l2 | Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_win 2016_djbh_l2 | Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level II |
cis | hc_aliyun_linux_cis | Alibaba Cloud Linux/Aliyun Linux 2 CIS Benchmark |
cis | hc_centos 6_cis_rules | CIS CentOS Linux 6 LTS Benchmark |
cis | hc_centos 7_cis_rules | CIS CentOS Linux 7 LTS Benchmark |
cis | hc_centos 8_cis_rules | CIS CentOS Linux 8 LTS Benchmark |
cis | hc_debian 8_cis_rules | CIS Debian Linux 8 Benchmark |
cis | hc_ubuntu 14_cis_rules | CIS Ubuntu Linux 14 LTS Benchmark |
cis | hc_ubuntu 16_cis_rules | CIS Ubuntu Linux 16/18/20 LTS Benchmark |
cis | hc_win 2008_cis_rules | CIS Microsoft Windows Server 2008 R2 Benchmark |
cis | hc_win 2012_cis_rules | CIS Microsoft Windows Server 2012 R2 Benchmark |
cis | hc_win 2016_cis_rules | CIS Microsoft Windows Server 2016/2019 R2 Benchmark |
cis | hc_kylin_djbh_l3 | China's Level 3 Protection of Cybersecurity - Kylin Compliance Baseline Check |
cis | hc_uos_djbh_l3 | China's Level 3 Protection of Cybersecurity - uos Compliance Baseline Check |
hc_best_security | hc_aliyun_linux | Alibaba Cloud Linux/Aliyun Linux 2 Benchmark |
hc_best_security | hc_centos 6 | Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check |
hc_best_security | hc_centos 7 | Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check |
hc_best_security | hc_debian | Alibaba Cloud Standard - Debian Linux 8/9/10 Security Baseline |
hc_best_security | hc_redhat 6 | Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check |
hc_best_security | hc_redhat 7 | Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check |
hc_best_security | hc_ubuntu | Alibaba Cloud Standard - Ubuntu Security Baseline |
hc_best_security | hc_windows_2008 | Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check |
hc_best_security | hc_windows_2012 | Alibaba Cloud Standard - Windows 2012 R2 Security Baseline |
hc_best_security | hc_windows_2016 | Alibaba Cloud Standard - Windows 2016/2019 Security Baseline |
hc_best_security | hc_db_mssql | Alibaba Cloud Standard-SQL Server Security Baseline Check |
hc_best_security | hc_memcached_ali | Alibaba Cloud Standard - Memcached Security Baseline Check |
hc_best_security | hc_mongodb | Alibaba Cloud Standard - MongoDB version 3.x Security Baseline Check |
hc_best_security | hc_mysql_ali | Alibaba Cloud Standard - Mysql Security Baseline Check |
hc_best_security | hc_oracle | Alibaba Cloud Standard - Oracle 11g Security Baseline Check |
hc_best_security | hc_pgsql_ali | Alibaba Cloud Standard-PostgreSql Security Initialization Check |
hc_best_security | hc_redis_ali | Alibaba Cloud Standard - Redis Security Baseline Check |
hc_best_security | hc_apache | Alibaba Cloud Standard - Apache Security Baseline Check |
hc_best_security | hc_iis_8 | Alibaba Cloud Standard - IIS 8 Security Baseline Check |
hc_best_security | hc_nginx_linux | Alibaba Cloud Standard - Nginx Security Baseline Check |
hc_best_security | hc_suse 15 | Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check |
hc_best_security | tomcat 7 | Alibaba Cloud Standard-Apache Tomcat Security Baseline |
weak_password | hc_mongodb_pwd | Weak Password-MongoDB Weak Password baseline(support version 2. X) |
weak_password | hc_weakpwd_ftp_linux | Weak password - Ftp login weak password baseline |
weak_password | hc_weakpwd_linux_sys | Weak password - Linux system login weak password baseline |
weak_password | hc_weakpwd_mongodb 3 | Weak Password-MongoDB Weak Password baseline |
weak_password | hc_weakpwd_mssql | Weak password - SQL Server DB login weak password baseline |
weak_password | hc_weakpwd_mysql_linux | Weak password - Mysql DB login weak password baseline |
weak_password | hc_weakpwd_mysql_win | Weak password - Mysql DB login weak password baseline(Windows version) |
weak_password | hc_weakpwd_openldap | Weak password - Openldap login weak password baseline |
weak_password | hc_weakpwd_oracle | Weak Password-Oracle login weak password detection |
weak_password | hc_weakpwd_pgsql | Weak password - PostgreSQL DB login weak password baseline |
weak_password | hc_weakpwd_pptp | Weak password - pptpd login weak password baseline |
weak_password | hc_weakpwd_redis_linux | Weak password - Redis DB login weak password baseline |
weak_password | hc_weakpwd_rsync | Weak password - rsync login weak password baseline |
weak_password | hc_weakpwd_svn | Weak password - svn login weak password baseline |
weak_password | hc_weakpwd_tomcat_linux | Weak password - Apache Tomcat Console weak password baseline |
weak_password | hc_weakpwd_vnc | Weak password-VncServer weak password check |
weak_password | hc_weakpwd_weblogic | Weak password-Weblogic 12c login weak password detection |
weak_password | hc_weakpwd_win_sys | Weak password - Windows system login weak password baseline |
Status codes in security logs
Status code | Description |
1 | Unfixed. |
2 | Fixing failed. |
3 | Rollback failed. |
4 | Fixing. |
5 | Rolling back. |
6 | Verifying. |
7 | Fixed. |
8 | Fixed and to be restarted. |
9 | Rolled back. |
10 | Ignored. |
11 | Rolled back and to be restarted. |
12 | No longer exists. |
20 | Expired. |
Status codes in alerts
Status code | Description |
1 | Unhandled. |
2 | Ignored. |
4 | Confirmed. |
8 | Marked as false positives. |
16 | Handling. |
32 | Handled. |
64 | Expired. |
128 | Deleted. |
512 | Automatic blocking. |
513 | Automatically blocked. |
Status codes in baseline logs
Status code | Description |
1 | Baseline checks failed. |
2 | Verifying. |
3 | Baseline checks passed. |
5 | Expired. |
6 | Ignored. |
7 | Fixing. |
Alert logs
Field name | Description | Example |
data_source | The data source. For more information, see Data source of alerts. | aegis_login_log |
level | The severity of the alert event. The following valid values are listed in descending order:
| suspicious |
name | The name of the alert. | Suspicious Process-SSH-based Remote Execution of Non-interactive Commands |
op | The operation. Valid values:
| new |
status | The information about the status. For more information, see Status codes of security logs. | 1 |
uuid | The UUID of the server on which the alert is generated. | 12345-b7ca-4a0a-9267-123456 |
detail | The details of the alert. Note The content of the detail field in the log varies based on the alert type. If you have questions about the parameters in the detail field when you view alert logs, you can submit a ticket to contact technical support. | The content of the detail field is long. The following content is extracted from the detail field in an alert log that is generated for an unapproved location logon to a server: {"loginSourceIp":"120.27.XX.XX","loginTimes":1,"type":"login_common_location","loginDestinationPort":22,"loginUser":"aike","protocol":2,"protocolName":"SSH","location":"Qingdao"} |
unique_info | The unique ID of the alert. | 2536dd765f804916a1fa3b9516b5**** |
Data source of alerts
Value | Description |
aegis_suspicious_event | Host exceptions |
aegis_suspicious_file_v2 | Webshells |
aegis_login_log | Unusual logons |
security_event | Security Center exceptions |
Configuration assessment logs
Field name | Description | Example |
check_id | The ID of the check item. You can call the ListCheckResult operation to query the IDs of check items. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services. | 235 |
instance_id | The ID of the instance. | i-bp12mkcxuvqvxxzn**** |
instance_name | The name of the instance. | lsm |
instance_result | The impacts of risks. The value is a JSON string. | {"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]} |
instance_sub_type | The subtype of the instance. Valid values:
| INSTANCE |
instance_type | The type of the instance. Valid values:
| ECS |
region_id | The region ID of the instance. | cn-hangzhou |
requirement_id | The requirement item ID. You can call the ListCheckStandard operation to query the IDs of requirement items. The operation is used to query the standards of configuration checks. | 5 |
risk_level | The risk level. Valid values:
| MEDIUM |
section_id | The section ID. You can call the ListCheckResult operation to query section IDs. | 1 |
standard_id | The standard ID. You can call the ListCheckStandard operation to query standard IDs. | 1 |
status | The status of the check item. Valid values:
| PASS |
vendor | The cloud service provider. The value is fixed as ALIYUN. | ALIYUN |
Host logs
Process startup logs
Field name | Description | Example |
uuid | The UUID of the server where the process runs. | 5d83b26b-b7ca-4a0a-9267-12**** |
ip | The IP address of the client host. | 1.2.XX.XX |
cmdline | The complete command to start the process. | cmd.exe /C "netstat -ano" |
username | The username. | administrator |
uid | The ID of the user. | 123 |
pid | The ID of the process. | 7100 |
filename | The name of the process file. | cmd.exe |
filepath | The full path of the process file. | C:/Windows/SysWOW64/cmd.exe |
groupname | The name of the user group. | group1 |
ppid | The ID of the parent process. | 2296 |
pfilename | The name of the parent process file. | client.exe |
pfilepath | The full path of the parent process file. | D:/client/client.exe |
cmd_chain | The process chain. | |
containerhostname | The name of the server in the container. | gamify-answer-bol-5-6876d5dc78-vf**** |
containerpid | The ID of the process in the container. | 0 |
containerimageid | The ID of the image. | sha256:7fee4a991f7c41c5511234dfea37a2a5c70c894fa7b4ca5c08d9fad74077**** |
containerimagename | The name of the image. | registry-vpc.cn-north-2-gov-1.aliyuncs.com/lippi-dingtalk/gamify-answer-bol-start:2020111714**** |
containername | The name of the container. | k8s_gamify-answer-bol_gamify-answer-bol-5-6876d5dc78-vf6rb_study-gamify-answer-bol_483a1ed1-28b7-11eb-bc35-00163e010b62_0**** |
containerid | The ID of the container. | b564567427272d46f9b1cc4ade06a85fdf55075c06fdb870818d5925fa86**** |
cmd_chain_index | The index of the process chain. You can use an index to search for a process chain. | P253 |
cmd_index | The index of a parameter in the command line. Every two indexes are grouped to identify the start of a parameter and the end of the parameter. | 0,3,5,8 |
comm | The command name related to the process. | N/A |
gid | The ID of the process group. | 0 |
parent_cmd_line | The command line of the parent process. | /bin/sh -c ip a |grep inet|grep -v inet6|grep -v 127.0.0.1|grep -v 'inet 192.168.'|grep -v 'inet 10.'|awk '{print $2}'|sed 's#/[0-9]*##g' |
pid_start_time | The time when the parent process was started. | 2022-01-12 15:27:46 |
srv_cmd | The command line of the ancestor process. | /www/server/panel/pyenv/bin/python /www/server/panel/BT-Task |
stime | The time when the process was started. | 2022-01-12 15:27:46 |
Process snapshot logs
Field name | Description | Example |
uuid | The UUID of the server where the process runs. | 5d83b26b-b7ca-4a0a-9267-12**** |
ip | The IP address of the client host. | 1.2.XX.XX |
cmdline | The complete command to start the process. | cmd.exe /C "netstat -ano" |
pid | The ID of the process. | 7100 |
name | The name of the process file. | cmd.exe |
path | The full path of the process file. | C:/Windows/SysWOW64/cmd.exe |
md5 | The MD5 hash value of the process file. Note The MD5 algorithm is not supported for files that exceed 1 MB in size. | d0424c22dfa03f6e4d5289f7f5934dd4 |
pname | The name of the parent process file. | client.exe |
start_time | The time when the process was started. This field is built-in. | 2018-01-18 20:00:12 |
user | The username. | administrator |
uid | The ID of the user. | 123 |
Logon logs
The repeated logon attempts within 1 minute are recorded in one log. The warn_count field indicates the number of logon attempts.
Field name | Description | Example |
uuid | The UUID of the server that is logged on to. | 5d83b26b-b7ca-4a0a-9267-12**** |
ip | The IP address of the client host. | 1.2.XX.XX |
warn_ip | The source IP address. | 1.2.XX.XX |
warn_port | The logon port. | 22 |
warn_type | The logon type. Valid values:
| SSHLOGIN |
warn_user | The username that is used for the logon. | admin |
warn_count | The number of logon attempts. The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the | 3 |
Brute-force attack logs
Field name | Description | Example |
uuid | The UUID of the server that is under a brute-force attack. | 5d83b26b-b7ca-4a0a-9267-12***** |
ip | The IP address of the server. | 1.2.XX.XX |
warn_ip | The source IP address. | 1.2..XX.XX |
warn_port | The logon port. | 22 |
warn_type | The logon type. Valid values:
| SSHLOGIN |
warn_user | The username that is used for the logon. | admin |
warn_count | The number of failed logon attempts. | 3 |
Network connection logs
Changes in the network connections of a server are collected by the server every 10 seconds to 1 minute. The server collects the changes only from the time when a connection is established to the time when the connection ends.
Field name | Description | Example |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
ip | The IP address of the server. | 1.2.XX.XX |
src_ip | The source IP address. | 1.2.XX.XX |
src_port | The source port. | 41897 |
dst_ip | The destination IP address. | 1.2.XX.XX |
dst_port | The destination port. | 22 |
proc_name | The name of the process. | java |
proc_path | The path of the process. | /hsdata/jdk1.7.0_79/bin/java |
proto | The protocol. Valid values:
| tcp |
status | The status of the network connection. For more information, see Status codes of network connections. | 5 |
cmd_chain | The process chain. | |
pid | The ID of the process. | 123 |
ppid | The ID of the parent process. | 1 |
container_hostname | The name of the server in the container. | gamify-answer-bol-5-6876d5dc78-v**** |
container_pid | The ID of the process in the container. | 0 |
container_image_id | The ID of the image. | sha256:7fee4a991f7c41c5511234dfea37a2a5c70c894fa7b4ca5c08d9fad74077**** |
container_image_name | The name of the image. | registry-vpc.cn-north-2-gov-1.aliyuncs.com/lippi-dingtalk/gamify-answer-bol-start:2020111714**** |
container_name | The name of the container. | k8s_gamify-answer-bol_gamify-answer-bol-5-6876d5dc78-vf6rb_study-gamify-answer-bol_483a1ed1-28b7-11eb-bc35-00163e010b62_0**** |
container_id | The ID of the container. | b564567427272d46f9b1cc4ade06a85fdf55075c06fdb870818d5925fa86**** |
cmd_chain_index | The index of the process chain. You can use an index to search for a process chain. | P3285 |
parent_proc_file_name | The name of the parent process file. | /usr/bin/bash |
proc_start_time | The time when the process was started. | N/A |
srv_comm | The command name related to the ancestor process. | python |
uid | The ID of the user who started the process. | -1 |
username | The name of the user who started the process. | N/A |
Status codes of network connections
Status code | Description |
1 | closed |
2 | listen |
3 | syn send |
4 | syn recv |
5 | established |
6 | close wait |
7 | closing |
8 | fin_wait1 |
9 | fin_wait2 |
10 | time_wait |
11 | delete_tcb |
Port listening snapshot logs
Field name | Description | Example |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
ip | The IP address of the server. | 1.2.XX.XX |
proto | The communication protocol. Valid values:
| tcp |
src_ip | The IP address of the listener. | 1.2.XX.XX |
src_port | The listening port. | 41897 |
pid | The ID of the process. | 7100 |
proc_name | The name of the process. | kubelet |
Account snapshot logs
The account snapshots contain information about the accounts that are detected in your assets.
Field name | Description | Example |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
ip | The IP address of the server. | 1.2.XX.XX |
user | The name of the user. | nscd |
perm | Indicates whether you can log on to the server as a root user. Valid values:
| 0 |
home_dir | The home directory. | /Users/abc |
groups | The group to which the user belongs. The value | ["users", "root"] |
last_chg | The date when the password was last modified. | 2017-08-24 |
shell | The Linux shell command. | /sbin/nologin |
domain | The Windows domain. The value | administrator |
tty | The terminal that is logged on to. The value | pts/3 |
warn_time | The date when you are notified of expiring passwords. The value | 2017-08-24 |
account_expire | The date when the account expires. The value | 2017-08-24 |
passwd_expire | The date when the password expires. The value | 2017-08-24 |
login_ip | The IP address from which the last remote logon was initiated. The value | 1.2.XX.XX |
last_logon | The date and time of the last logon. The value | 2017-08-21 09:21:21 |
status | The status of the account. Valid values:
| 0 |
DNS request logs
Field name | Description | Example |
domain | The domain name that is included the DNS request. | example.aliyundoc.com |
ip | The IP address that is included in the DNS request. | 172.26.XX.XX |
pid | The ID of the process that initiates the DNS request. | 3544 |
ppid | The ID of the parent process that initiates the DNS request. | 3408 |
proc_cmd_chain | The chain of the process that initiates the DNS request. | "3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\"" |
proc_cmdline | The command line of the process that initiates the DNS request. | C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe |
proc_path | The path to the process that initiates the DNS request. | C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe |
time | The time when the DNS request is captured. In most cases, the value is the point in time when the DNS request is initiated. | 2023-03-28 13:26:46 |
uuid | The UUID of the server that initiates the DNS request. | 5d83b26b-b7ca-4a0a-9267-12**** |